Share this page!

Kim Zetter Profile picture
Twitter logo
22 Dec, 11 tweets, 3 min read
Per briefing today on SolarWinds hack, @RonWyden says IRS was not compromised or taxpayer data affected. However, hack of Treasury Department "appears to be significant." Treasury breach began in July, "the full depth of which isn’t known."
Microsoft notified Treasury Dept that dozens of email accounts were compromised. Additionally the hackers broke into systems in the Departmental Offices division of Treasury, home to Treasury's highest-ranking officials. Treasury still doesn't know precisely what info was stolen.
.@RonWyden on SW: “[A]fter yrs of gov officials advocating for encryption backdoors and ignoring warnings from [infosec] experts who said...encryption keys [are targets] for hackers, the USG has..suffered a breach that seems to involve...stealing encryption keys from USG servers”
What does Wyden mean when he says they stole encryption keys from US gov servers? "Once the hackers gained access to [Treasury Dept's] Departmental Offices network, they stole an encryption key used by Treasury's 'single sign on' login infrastructure," a Wyden aide tells me.
"With this key, the hackers were able to forge the credentials necessary to gain legitimate access to several Microsoft cloud-hosted email accounts," Wyden's aide says, attributing the info to Treasury officials who provided a briefing on the SolarWinds hack.
This matches what Microsoft had revealed in its writeup where it discussed how the SolarWinds hackers stole SAML encryption certificates for the targets who were hacked (blogs.microsoft.com/on-the-issues/…)
Here's Microsoft describing it: The intruders using admin permissions gained access to an org’s trusted SAML token-signing cert. "This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts."
The forged tokens "can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate." In other words, the keys to the kingdom.
NYT is now reporting that per Treasury Dept, Treasury Secretary Steven Mnuchin’s email account was not among those that were breached.
Treasury Secretary Steven Mnuchin, addressing the breach of the Treasury Dept with CNBC, said today: “At this point, we do not see any break-in into our classified systems. Our unclassified systems did have some access.”
Mnuchin speaking about Treasury hack: “I can assure you, we are completely on top of this

NYT [in narrator voice:] "He did not explain how the Russian presence was not detected in the system for more than four months."

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kim Zetter

Kim Zetter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KimZetter

Kim Zetter Profile picture
18 Dec
New: SolarWinds hackers did test-run of spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version didn't have backdoor in it, however. Indicates hackers were in SolarWinds network in 2019, if not earlier. news.yahoo.com/hackers-last-y…
Investigators have so far found no evidence the attackers did anything to infected machines once the malicious Oct 2019 SolarWinds software was installed; suggests this was just a dry-run to test that their malicious files would deliver to customer machines and not be detected.
I also clarify in story how FireEye first discovered breach. It occurred when the hackers, who already had an employee's credentials, used those to register their own device to FireEye's multi-factor authentication system so they could receive the employee's unique access codes.
Read 7 tweets
Kim Zetter Profile picture
18 Dec
Wow, this is bold. Employee of a US telecom, who was based in China, has been charged w/ disrupting video-conference meetings held in May and June this year by parties in the US to commemorate the June 4, 1989 Tiananmen Square massacre in China. justice.gov/opa/pr/china-b…
"No company with significant business interests in China is immune from the coercive power of the Chinese Communist Party. The Chinese Communist Party will use those within its reach to sap the tree of liberty, stifling free speech in China, the United States and elsewhere"
"The allegations in the complaint lay bare the Faustian bargain that the PRC government demands of U.S. technology companies doing business within the PRC’s borders, and the insider threat that those companies face from their own employees in the PRC”
Read 8 tweets
Kim Zetter Profile picture
17 Dec
Second supply chain hack in SolarWinds campaign announced. Microsoft was also breached in the SolarWinds hack operation. Once in Microsoft’s network, the company's own "products were then used to further the attacks on others". Story from @josephmenn reuters.com/article/global…
If SolarWinds was used to hack Microsoft, and Microsoft was then used to hack Microsoft customers, this essentially means one supply chain was used to hack another supply chain. That's an impressive kill chain.
How often have we all said this before? "Some major companies have issued carefully worded statements saying that they have 'no evidence' that they were penetrated, but in some cases that may only be because the evidence was removed [by the attackers]" reuters.com/article/us-usa…
Read 6 tweets
Kim Zetter Profile picture
14 Dec
Someone asked me to provide a simple description of what this SolarWinds hack is all about. So for anyone who is confused by the technical details, here's a thread with a simplified explanation of what happened and what it means.
The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
Read 7 tweets
Kim Zetter Profile picture
14 Dec
@tcward_ The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
@tcward_ That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
@tcward_ The hackers did this back in March and their activity was only recently discovered - this means they have been inside gov systems all these months stealing data and spying on gov workers without anyone knowing until now. They also infected telecoms and other company networks.
Read 4 tweets
Kim Zetter Profile picture
14 Dec
I have report from Microsoft about SolarWinds hack, including IoCs. Excerpts in this thread: "Microsoft security researchers recently discovered a sophisticated attack where an adversary inserted malicious code into a supply chain development process.... 1/
"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.... 2/
"This attack was discovered as part of an ongoing investigation" 3/
Read 21 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @KimZetter has new unrolls!

Check out other threads from @KimZetter!

Read all threads by @KimZetter